Method and apparatus for restricting address resolution protocol table updates

ABSTRACT

A method of restricting Address Resolution Protocol (ARP) table updates to updates originating from authorized subsystems is disclosed. According to one aspect of the method, an instruction to update an ARP table is received. It is determined whether a particular subsystem from which the instruction originated is authorized. If the particular subsystem is authorized, then the ARP table is updated based on the instruction.

FIELD OF THE INVENTION

The present invention generally relates to computer network security.The invention relates more specifically to a method and apparatus forrestricting Address Resolution Protocol (ARP) table updates.

BACKGROUND OF THE INVENTION

The approaches described in this section could be pursued, but are notnecessarily approaches that previously have been conceived or pursued.Therefore, unless otherwise indicated herein, the approaches describedin this section are not prior art to the claims in this application andare not admitted to be prior art by inclusion in this section.

For various reasons, it is often desirable to restrict access to acomputer network, such as a local area network (LAN), wide area network(WAN), or inter-network. For example, a provider of computer networkservices may wish to allow only subscribing users to access theprovider's computer network. By restricting access in this way, theprovider can obtain compensation from the subscribing users in exchangefor computer network access. Additionally, by restricting access in thisway, the provider can prevent the quality of the computer network'sservices from being diluted by non-subscribing users.

In certain computer network configurations, all data traffic between auser and a provider's computer network is communicated through a networkaccess point in the provider's computer network. A network access pointmay comprise a network router that comprises a Dynamic HostConfiguration Protocol (DHCP) server. DHCP is described in the InternetEngineering Task Force (IETF) Request For Comments (RFC) 2131. When auser's device initially connects to a provider's computer networkthrough the network access point, the user's device obtains,dynamically, from the DHCP server, a network layer address selected froma set of legitimate network layer addresses. The network layer addressis assigned to the user's device. This dynamically assigned networklayer address identifies the user's device to the provider's computernetwork. In the provider's computer network, all data that is to be sentto the user is addressed to the dynamically assigned network layeraddress, which may be, for example, an Internet Protocol (IP) address.

An entry is added to the network router's ARP table. ARP is described inIETF RFC 826. The entry indicates a binding between the dynamicallyassigned network layer address and a data link layer address, such as aMedia Access Control (MAC) address, of the user's device. Whenever thenetwork router receives a data packet that is addressed to the networklayer address, the network router consults the ARP table to find theentry that contains the network layer address. From the entry, thenetwork router determines the data link layer address that is bound tothe network layer address. The network router then encapsulates the datapacket into a frame that indicates the data link layer address, andsends the frame to the device that is associated with the data linklayer address; i.e., the user's device. Without the entry in the ARPtable, the network router would be unable to deliver the data packet tothe user's device.

In an effort to restrict computer network access solely to subscribingusers, the provider may implement a security mechanism such as a loginprocedure. The security mechanism may request a username and associatedpassword from the user. If the user provides a username and associatedpassword that the security mechanism recognizes, then the securitymechanism may allow the user to access the computer network for aspecified amount of time or until the user elects to logout.Alternatively, if the user fails to provide a username and associatedpassword that the security mechanism recognizes, then the securitymechanism may prevent the user from accessing the computer network.

If the user successfully provides a recognized username and associatedpassword, then the security mechanism associates the dynamicallyassigned network layer address with the username. Therefore, any networkactivity attributable to the network layer address is attributable tothe username. To receive compensation for such network activity, theprovider may bill the user associated with the username. When the userlogs off through a provided mechanism, then the username is no longerassociated with the network layer address.

Unfortunately, even after a legitimate network layer address has beenassociated with an authenticated username, it is relatively easy for arogue user to cause a different data link layer address to be bound tothe legitimate network layer address in the network router's ARP table.The rogue user only needs to send, to the network router, a forged ARPmessage that indicates that the legitimate network layer address isassociated with the data link layer address of the rogue user's device.In response to receiving the forged ARP message, the network routerignorantly updates the network router's ARP table to contain a bindingbetween the legitimate network layer address and the data link layeraddress of the rogue user's device. Thereafter, the rogue user canaccess the provider's computer network, and the rogue user's networkactivities will be attributed to the authenticated username.

This is just one of several ways in which access restrictions can becircumvented. Additionally, a user may guess or otherwise determine alegitimate network layer address within the provider's computer network,and use that network layer address instead of the network layer addressthat was dynamically assigned by the DHCP server. In that case, theentry added to the network router's ARP table indicates a bindingbetween the data link layer address of the user's device and a networklayer address which, although legitimate, was not assigned by the DHCPserver. Some network activity tracking systems cannot detect that a userhas logged off or otherwise disconnected from a network unless theuser's device is associated with a network layer address assigned by theDHCP server. As a result, the user may remain logged on to theprovider's network even after the user thought that he had logged offusing a provided mechanism. This can cause internal processing errors orresult in incorrect billing of service to the user.

The problems described above are at least partially a consequence of alack of restrictions imposed on ARP table updates. Based on theforegoing, there is a clear need for a method of restricting ARP tableupdates to updates originating from authorized subsystems.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example, and not by wayof limitation, in the figures of the accompanying drawings and in whichlike reference numerals refer to similar elements and in which:

FIG. 1 is a block diagram that illustrates an overview of an examplesystem that may be used to practice a method of restricting ARP tableupdates to updates originating from authorized subsystems;

FIG. 2 is a flow diagram that illustrates a high level overview of oneembodiment of a method of restricting ARP table updates to updatesoriginating from authorized subsystems;

FIG. 3 is a flow diagram that illustrates one embodiment of a method ofrestricting selected ARP table updates to updates originating fromauthorized subsystems;

FIG. 4A and FIG. 4B are flow diagrams that illustrate one embodiment ofa process for sending an instruction to update an ARP table; and

FIG. 5 is a block diagram that illustrates a computer system upon whichan embodiment may be implemented.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

A method and apparatus for restricting ARP table updates to updatesoriginating from authorized subsystems is described. In the followingdescription, for the purposes of explanation, numerous specific detailsare set forth in order to provide a thorough understanding of thepresent invention. It will be apparent, however, to one skilled in theart that the present invention may be practiced without these specificdetails. In other instances, well-known structures and devices are shownin block diagram form in order to avoid unnecessarily obscuring thepresent invention.

Embodiments are described herein according to the following outline:

1.0 General Overview 2.0 Structural and Functional Overview 3.0 Methodof Restricting ARP Table Updates To Updates Originating From AuthorizedSubsystems 3.1 Processing Received Updates 3.2 Process of Sending AnInstruction To Update An ARP Table 4.0 ImplementationMechanisms-Hardware Overview 5.0 Extensions and Alternatives

1.0 GENERAL OVERVIEW

The needs identified in the foregoing Background, and other needs andobjects that will become apparent from the following description, areachieved in the present invention, which comprises, in one aspect, amethod of restricting Address Resolution Protocol (ARP) table updates toupdates originating from authorized subsystems. According to one aspectof the method, an instruction to update an ARP table is received. It isdetermined whether a particular subsystem from which the instructionoriginated is authorized. If the particular subsystem is authorized,then the ARP table is updated based on the instruction.

For example, an ARP process may receive an instruction to update an ARPtable. The ARP process may determine whether the instruction originatedfrom a DHCP server that is specified to be an authorized subsystem. Ifthe instruction originated from the DHCP server, then the ARP processmay update the ARP table based on the instruction. If the instructiondid not originate from the DHCP server, then the ARP process may ignorethe instruction, thereby preventing the ARP table from being updatedbased on the instruction.

Unlike previous approaches to updating ARP tables, techniques disclosedherein do not allow all ARP messages, regardless of their origin, tocause an ARP table to be modified. As a result, techniques disclosedherein can be used to prevent rogue users from modifying legitimatebindings contained in an ARP table. As another result, techniquesdisclosed herein can be used to prevent ARP tables from containingbindings that comprise network layer addresses that were not supplied bya DHCP server or other authorized subsystem.

In other aspects, the invention encompasses a computer apparatus and acomputer-readable medium configured to carry out the foregoing steps.

2.0 STRUCTURAL AND FUNCTIONAL OVERVIEW

FIG. 1 is a block diagram that illustrates an overview of an examplesystem 100 that may be used to practice a method of restricting AddressResolution Protocol (ARP) table updates to updates originating fromauthorized subsystems. As used herein, a subsystem is any entity,process, device, or mechanism that is capable of sending an instructionthat has the purpose or result of causing an ARP table to be updated.System 100 comprises a provider's network 102, a network router 104, andusers' devices 106A and 106B. Systems of alternative embodiments maycomprise more or fewer components than those in system 100.

Provider's network 102 may be a LAN, a WAN, one or more inter-networks,etc. Provider's network 102 comprises network router 104. Network router104 comprises network interfaces 108A and 108B. User's device 106A iscoupled communicatively to network router 104 through network interface108A. User's device 106B is coupled communicatively to network router104 through network interface 108B. Users' devices 106A and 106B may becoupled communicatively to router 104 through one or more cables,wireless connections, network hubs, and/or network bridges. In system100, all data traffic flowing between provider's network 102 and eitherone of users' devices 106A and 106B flows through network router 104.Users' devices 106A and 106B may be computers, workstations, processes,applications, agents, etc.

Network router 104 further comprises an ARP process 110 and an ARP table112. ARP process 110 receives all instructions to update ARP table 112.ARP table 112 is updated only by ARP process 110. Network router 104encapsulates network layer data packets into data link layer framesbased on entries contained in ARP table 112. For example, if ARP table112 contains an entry that indicates a binding between a data link layeraddress of user's device 106A and a particular network layer address,then network router 104 will encapsulate, in frames that indicate thedata link layer address of user's device 106A, data packets destined forthe particular network layer address. Network router 104 willconsequently deliver the frames to user's device 106A.

Unlike some other network routers, network router 104 is configured tonot proactively discover data link layer addresses that correspond tonetwork layer addresses. For example, even if network router 104receives a data packet that indicates a destination network layeraddress that is not contained in ARP table 112, the network router willnot attempt to learn which one of users' devices 106A and 106B isassociated with the destination network layer address. ARP process 110does not broadcast ARP messages that ask other network devices to tellnetwork router 104 data link layer addresses that are associated withnetwork layer addresses. Thus, if network router 104 receives a datapacket that is addressed to a network layer address that is notcontained in ARP table 112, then the network router will not encapsulateand forward the data packet.

According to one embodiment, ARP process 110 ignores all ARP messagesthat indicate that a particular data link layer address is associatedwith a particular network layer address. ARP process 110 does not add,remove, or modify entries in ARP table 112 based on such ARP messages.Therefore, in one embodiment, ARP table 112 can only be updated inresponse to instructions other than ARP messages. As a result, ARP table112 cannot be contaminated with illegitimate bindings based on forgedARP messages. According to an alternative embodiment, ARP process 110ignores only such ARP messages that also indicate selected network layeraddresses and/or such ARP messages that also were received throughselected ones of network interfaces 108A and 108B.

Network router 104 further comprises authorized subsystems 114A-114C.Authorized subsystems 114A-114C comprise DHCP server 114A; a device thatis using or running Network Address Translation (NAT) 114B; andAuthentication, Authorization, Accounting (AAA) server 114C. NetworkAddress Translators are described in IETF RFC 3022. AAA servers aredescribed in IETF RFC 2903. While, in system 100, DHCP server 114A, NAT114B, and AAA server 114C are authorized subsystems, more or fewer ordifferent subsystems than these may be authorized in systems ofalternative embodiments. While network router 104 comprises authorizedsubsystems 114A-114C, in alternative embodiments, one or more authorizedsubsystems may be external to a network router.

In response to certain events, authorized subsystems 114A-114C send, toARP process 110, instructions to update ARP table 112. Such instructionsmay include instructions to add, remove, or modify specific entries inARP table 112. According to one embodiment, when ARP process 110receives an instruction to update ARP table 112, the ARP processdetermines whether the instruction originated from an authorizedsubsystem. ARP process 110 may make this determination by determiningwhether the subsystem from which the instruction originated isidentified in a set of specified authorized subsystems. If theinstruction originated from an authorize subsystem, then ARP process 110updates ARP table 112 based on the instruction. According to oneembodiment, ARP process 110 ignores all instructions that did notoriginate from an authorized subsystem. As a result, ARP table 112cannot be contaminated with bindings that were generated as aconsequence of the automatic learning of a network layer address that auser did not obtain from an authorized subsystem.

When ARP table 112 is restricted to contain only bindings that weregenerated by authorized subsystems, network router 104 is restricted toforward data packets only to ones of users' devices 106A and 106B thatwere assigned a network layer address by one of authorized subsystems114A-114C. Entries in ARP table 112 are “locked” relative to ARPmessages from users' devices 106A and 106B. The process of adding anentry to an ARP table in response to an instruction from an authorizedsubsystem may be called “ARP locking.” Entries in ARP table 112 aresecure.

FIG. 2 is a flow diagram that illustrates a high level overview of oneembodiment of a method 200 of restricting Address Resolution Protocol(ARP) table updates to updates originating from authorized subsystems.Such a method may be performed by any of many different mechanisms, suchas, for example, ARP process 110 described above.

In block 202, an instruction is received to update an ARP table. Forexample, ARP process 110 may receive, from DHCP server 114A, aninstruction to add, to ARP table 112, a binding between an IP address,which the DHCP server assigned to user's device 106A, and the user'sdevice's MAC address.

In block 204, it is determined whether a subsystem from which theinstruction originated is authorized. For example, ARP process 110 maydetermine whether the subsystem from which the instruction originated iscontained in a set of one or more specified authorized subsystems. Theset of one or more specified authorized subsystems may contain DHCPserver 114A, NAT 114B, and AAA server 114C. For another example, ARPprocess 110 may determine whether the instruction was received through acommand interface that is designed to receive instructions exclusivelyfrom authorized subsystems. If the subsystem is authorized, then controlpasses to block 206. If the subsystem is not authorized, then controlpasses to block 208.

In block 206, the ARP table is updated based on the instruction. Forexample, based on the specific details of the instruction, ARP process110 may add a specified entry to, remove a specified entry from, ormodify a specified entry within, ARP table 112.

According to one embodiment, in block 208, updating of the ARP tablebased on the instruction is prevented. For example, ARP process 110 mayignore an ARP message, from user's device 106B, that indicates that aparticular IP address in ARP table 112A is associated with the MACaddress of user's device 106B. In alternative embodiments, the ARP tablemay be updated based on the instruction if certain other specifiedconditions are satisfied.

As a result of method 200, an ARP table cannot be contaminated withentries that contain IP addresses that were not assigned by anauthorized subsystem. This, in turn, helps to prevent unauthorizednetwork access and billing errors.

3.0 METHOD OF RESTRICTING ARP TABLE UPDATES TO UPDATES ORIGINATING FROMAUTHORIZED SUBSYSTEMS 3.1 Processing Received Updates

It is sometimes desirable to allow an ARP table to be updated, undercertain specified conditions, even in response to an instruction thatdid not originate from an authorized subsystem. For example, it may bedesirable to prevent updates based on ARP messages received throughcertain specified network interfaces of a network router, and to freelyallow updates based on ARP messages received through other networkinterfaces of the network router. It may be desirable to prevent updatesthat relate to network addresses within certain specified subnets of anetwork, and to freely allow updates that relate to network addresswithin other subnets. FIG. 3 is a flow diagram that illustrates oneembodiment of a method 300 of restricting selected ARP table updates toupdates originating from authorized subsystems. Such a method may beperformed by any of many different mechanisms, such as, for example, ARPprocess 110 described above.

In block 302, an instruction is received to update an ARP table. Forexample, ARP process 110 may receive, from DHCP server 114A, aninstruction to add, to ARP table 112, a binding between an IP address,which the DHCP server assigned to user's device 106A, and the user'sdevice's MAC address. For another example, ARP process 110 may receive,through network interface 108B, an ARP message that indicates that an IPaddress is associated with the MAC address of user's device 106B. Suchan ARP message is an instruction to update ARP table 112.

In block 304, it is determined whether a network interface through whichthe instruction was received is contained in a set of one or morespecified network interfaces. For example, if an ARP message wasreceived through network interface 108B, then ARP process 110 maydetermine whether network interface 108B is contained in a set of one ormore specified restricted network interfaces. If the network interfacethrough which the instruction was received is contained in the set ofone or more specified network interfaces, then control passes to block310. Otherwise, control passes to block 306.

In block 306, it is determined whether a network address indicated bythe instruction is contained in a set of one or more specified networkaddresses. For example, if an ARP message specifies that IP address192.206.0.1 is associated with the MAC address of user's device 106B,then ARP process 110 may determine whether IP address 192.206.0.1 iscontained in a set of one or more specified restricted subnets. A subnetdescribes a range of network addresses. If the network address specifiedby the instruction is contained in the set of one or more specifiednetwork addresses, then control passes to block 310. Otherwise, controlpasses to block 308.

In block 308, the ARP table is updated based on the instruction. Forexample, if an ARP message specifies that IP address 192.206.0.1 isassociated with the MAC address of user's device 106B, then ARP process110 may update ARP table 112 to contain an association between IPaddress 192.206.0.1 and the MAC address of user's device 106B.

In block 310, it is determined whether a subsystem from which theinstruction originated is authorized. If the subsystem is authorized,then control passes to block 308. If the subsystem is not authorized,then control passes to block 312.

In block 312, updating of the ARP table based on the instruction isprevented.

As a result of method 300, certain entries in an ARP table may be lockedand made secure against ARP messages coming through specified networkinterfaces. Certain entries in an ARP table may be locked and madesecure against ARP messages that relate to specified network addresses.These features help to prevent billing errors and unauthorized networkaccess.

3.2 Process of Sending an Instruction to Update an ARP Table

In response to specified events, certain authorized subsystems may send,to an ARP process such as ARP process 110, an instruction to update anARP table such as ARP table 112. Such authorized subsystems may compriseDHCP server 114A, NAT 114B, AAA server 114C, and a Hypertext TransferProtocol (HTTP) based authentication server (not shown). FIGS. 4A and 4Bare flow diagrams that illustrate one embodiment of a process 400 ofsending an instruction to update an ARP table. Such a process may beperformed by any of many different mechanisms, such as, for example,DHCP server 114A described above.

In block 402, a DHCP message that indicates a network layer address isreceived. For example, DHCP server 114A may receive, from user's device106A, a DHCPREQUEST message that indicates that the user's deviceaccepts the DHCP server's offer to assign a particular IP address to theuser's device. The DHCPREQUEST message indicates the particular IPaddress.

In block 404, in response to receiving the DHCP message, it isdetermined whether the network layer address is bound with a data linklayer address. Continuing the example, DHCP server 114A may determinewhether the particular IP address already is bound with a MAC addressother than the MAC address of user's device 106A. If the network layeraddress is not bound with a data link layer address, then control passesto block 406. Otherwise, control passes to block 422.

In block 406, an instruction to update an ARP table is sent. Forexample, DHCP server 114A may send an instruction to ARP process 110.The instruction may indicate that ARP table 112 is to be updated tocontain a binding between the particular IP address and the MAC addressof user's device 106A. The instruction may indicate that the binding isvalid for a specified period of time, such as the duration of the DHCPlease. Each entry in ARP table 112 may be associated with a timestampthat indicates a time at which the entry expires.

In block 408, an instruction is sent to an accounting system to start anaccounting process in connection with the network layer address. Forexample, DHCP server 114A may send an instruction to a user accountingsystem that instructs the user accounting system to start keeping trackof time in relation to a username that was associated with theparticular IP address when the DHCP server assigned the particular IPaddress to user's device 106A. In response to the instruction, the useraccounting system may begin to track how long the user associated withthe username will be logged in to provider's network 102.

In block 410, it is determined whether a lease associated with thenetwork layer address has expired. For example, DHCP server 114A maydetermine whether a lease of the particular IP address to user's device106A has expired. If the lease has expired, then control passes to block412. Otherwise, control passes to block 416.

In block 412, an instruction to update the ARP table is sent. Forexample, DHCP server 114A may send an instruction to ARP process 110.The instruction may indicate that ARP table 112 is to be updated toremove a binding between the particular IP address and the MAC addressof user's device 106A. According to one embodiment, ARP process 110automatically removes, from ARP table 112, bindings that are associatedwith timestamps that indicate past times, regardless of whether the ARPprocess has been specifically instructed to do so by an authorizedsubsystem.

In block 414, an instruction is sent to an accounting system to stop anaccounting process in connection with the network layer address. Forexample, DHCP server 114A may send an instruction to the user accountingsystem that instructs the user accounting system to stop keeping trackof time in relation to the username that is associated with theparticular IP address. In response to the instruction, the useraccounting system make a determination as to the total amount of timethat the user was logged in to provider's network 102. The useraccounting system may bill the user accordingly.

In block 416, it is determined whether a DHCP message, which requests anextension of the lease associated with the network layer address, hasbeen received. For example, DHCP server 114A may receive, from user'sdevice 106A, a DHCPREQUEST message that requests that the lease of theparticular IP address to the user's device be extended. If such a DHCPmessage has been received, then control passes to block 418. Otherwise,control passes to block 420.

In block 418, an instruction to update the ARP table is sent. Forexample, DHCP server 114A may send an instruction to ARP process 110.The instruction may indicate that ARP table 112 is to be updated toindicate that a binding between the particular IP address and the MACaddress of user's device 106A is to remain valid for a longer duration.In response ARP process 110 may update a timestamp associated with thebinding to indicate a later expiration time. Control then passes back toblock 410.

In block 420, it is determined whether a DHCP message, whichrelinquishes the lease associated with the network layer address, hasbeen received. For example, DHCP server 114A may receive, from user'sdevice 106A, a DHCPRELEASE message that relinquishes the lease of theparticular IP address to the user's device. If such a DHCP message hasbeen received, then control passes to block 412. Otherwise, controlpasses back to block 410.

In block 422, an instruction to update the ARP table is not sent. Forexample, because neither DHCP server 114A nor any other authorizedsubsystem sent an instruction to update ARP table 112, the ARP tableremains unchanged.

In this manner, ARP table updates may originate from authorizedsubsystems, so that ARP table updates may be restricted to updates thatoriginate from authorized subsystems. Where user's devices cannotreceive data packets from a provider's network without obtaining accessthrough an authorized subsystem, user accounting processes may be basedon instructions received from authorized subsystems. As a result, useraccounting processes cannot be circumvented by a forged ARP message orthe use of a network layer address that was not obtained from anauthorized subsystem.

While the examples above make reference to instructions being sent fromDHCP server 114A in response to certain events, such as the lease orrelinquishment of an IP address, instructions from other authorizedsubsystems similarly may be sent in response to events that relatespecifically to those authorized subsystems. For example, NAT 114B maysend instructions to update ARP table 112 in response to detecting datapackets that indicate network addresses in specified networks. Foranother example, AAA server 114C may send instructions to update ARPtable 112 in response to receiving authentication information from auser during a login process.

4.0 IMPLEMENTATION MECHANISMS Hardware Overview

FIG. 5 is a block diagram that illustrates a computer system 500 uponwhich an embodiment of the invention may be implemented. The preferredembodiment is implemented using one or more computer programs running ona network element such as a router device. Thus, in this embodiment, thecomputer system 500 is a router.

Computer system 500 includes a bus 502 or other communication mechanismfor communicating information, and a processor 504 coupled with bus 502for processing information. Computer system 500 also includes a mainmemory 506, such as a random access memory (RAM), flash memory, or otherdynamic storage device, coupled to bus 502 for storing information andinstructions to be executed by processor 504. Main memory 506 also maybe used for storing temporary variables or other intermediateinformation during execution of instructions to be executed by processor504. Computer system 500 further includes a read only memory (ROM) 508or other static storage device coupled to bus 502 for storing staticinformation and instructions for processor 504. A storage device 510,such as a magnetic disk, flash memory or optical disk, is provided andcoupled to bus 502 for storing information and instructions.

A communication interface 518 may be coupled to bus 502 forcommunicating information and command selections to processor 504.Interface 518 is a conventional serial interface such as an RS-232 orRS-422 interface. An external terminal 512 or other computer systemconnects to the computer system 500 and provides commands to it usingthe interface 514. Firmware or software running in the computer system500 provides a terminal interface or character-based command interfaceso that external commands can be given to the computer system.

A switching system 516 is coupled to bus 502 and has an input interface514 and an output interface 519 to one or more external networkelements. The external network elements may include a local network 522coupled to one or more hosts 524, or a global network such as Internet528 having one or more servers 530. The switching system 516 switchesinformation traffic arriving on input interface 514 to output interface519 according to pre-determined protocols and conventions that are wellknown. For example, switching system 516, in cooperation with processor504, can determine a destination of a packet of data arriving on inputinterface 514 and send it to the correct destination using outputinterface 519. The destinations may include host 524, server 530, otherend stations, or other routing and switching devices in local network522 or Internet 528.

The invention is related to the use of computer system 500 forrestricting ARP table updates to updates originating from authorizedsubsystems. According to one embodiment of the invention, restrictingARP table updates to updates originating from authorized subsystems isprovided by computer system 500 in response to processor 504 executingone or more sequences of one or more instructions contained in mainmemory 506. Such instructions may be read into main memory 506 fromanother computer-readable medium, such as storage device 510. Executionof the sequences of instructions contained in main memory 506 causesprocessor 504 to perform the process steps described herein. One or moreprocessors in a multi-processing arrangement may also be employed toexecute the sequences of instructions contained in main memory 506. Inalternative embodiments, hard-wired circuitry may be used in place of orin combination with software instructions to implement the invention.Thus, embodiments of the invention are not limited to any specificcombination of hardware circuitry and software.

The term “computer-readable medium” as used herein refers to any mediumthat participates in providing instructions to processor 504 forexecution. Such a medium may take many forms, including but not limitedto, non-volatile storage media, volatile storage media, and transmissionmedia. Non-volatile storage media includes, for example, optical ormagnetic disks, such as storage device 510. Volatile storage mediaincludes dynamic memory, such as main memory 506. Transmission mediaincludes coaxial cables, copper wire and fiber optics, including thewires that comprise bus 502. Transmission media can also take the formof acoustic or light waves, such as those generated during radio waveand infrared data communications.

Common forms of computer-readable storage media include, for example, afloppy disk, a flexible disk, hard disk, magnetic tape, or any othermagnetic medium, a CD-ROM, any other optical medium, punch cards, papertape, any other physical medium with patterns of holes, a RAM, a PROM,and EPROM, a FLASH-EPROM, any other memory chip or cartridge, or anyother medium from which a computer can read.

Various forms of computer readable media may be involved in carrying oneor more sequences of one or more instructions to processor 504 forexecution. For example, the instructions may initially be carried on amagnetic disk of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 500 canreceive the data on the telephone line and use an infrared transmitterto convert the data to an infrared signal. An infrared detector coupledto bus 502 can receive the data carried in the infrared signal and placethe data on bus 502. Bus 502 carries the data to main memory 506, fromwhich processor 504 retrieves and executes the instructions. Theinstructions received by main memory 506 may optionally be stored onstorage device 510 either before or after execution by processor 504.

Communication interface 518 also provides a two-way data communicationcoupling to a network link 520 that is connected to a local network 522.For example, communication interface 518 may be an integrated servicesdigital network (ISDN) card or a modem to provide a data communicationconnection to a corresponding type of telephone line. As anotherexample, communication interface 518 may be a local area network (LAN)card to provide a data communication connection to a compatible LAN.Wireless links may also be implemented. In any such implementation,communication interface 518 sends and receives electrical,electromagnetic or optical signals that carry digital data streamsrepresenting various types of information.

Network fink 520 typically provides data communication through one ormore networks to other data devices. For example, network link 520 mayprovide a connection through local network 522 to a host computer 524 orto data equipment operated by an Internet Service Provider (ISP) 526.ISP 526 in turn provides data communication services through theworldwide packet data communication network now commonly referred to asthe “Internet” 528. Local network 522 and Internet 528 both useelectrical, electromagnetic or optical signals that carry digital datastreams. The signals through the various networks and the signals onnetwork link 520 and through communication interface 518, which carrythe digital data to and from computer system 500, are exemplary forms ofcarrier waves transporting the information.

Computer system 500 can send messages and receive data, includingprogram code, through the network(s), network link 520 and communicationinterface 518. In the Internet example, a server 530 might transmit arequested code for an application program through Internet 528, ISP 526,local network 522 and communication interface 518. In accordance withthe invention, one such downloaded application provides for restrictingARP table updates to updates originating from authorized subsystems asdescribed herein.

Processor 504 may execute the received code as it is received and/orstored in storage device 510, or other non-volatile storage for laterexecution. In this manner, computer system 500 may obtain applicationcode in the form of a carrier wave.

5.0 EXTENSIONS AND ALTERNATIVES

In the foregoing specification, the invention has been described withreference to specific embodiments thereof. It will, however, be evidentthat various modifications and changes may be made thereto withoutdeparting from the broader spirit and scope of the invention. Thespecification and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense.

1. A method of restricting Address Resolution Protocol (ARP) tableupdates to updates originating from authorized subsystems, the methodcomprising: receiving an instruction to update an ARP table from aparticular subsystem of a network device; determining whether theparticular subsystem within the network device from which theinstruction originated is authorized; wherein determining that theparticular subsystem is authorized comprises determining that theparticular subsystem is a Dynamic Host Configuration Protocol (DHCP)server, an Authentication, Authorization, Accounting (AAA) server or aNetwork Address Translator (NAT); and only if the particular subsystemis authorized, then updating the ARP table based on the instruction. 2.The method of claim 1, wherein determining whether the particular systemis authorized comprises determining whether the particular subsystem isa Dynamic Host Configuration Protocol (DCHP) server.
 3. The method ofclaim 1, wherein determining whether the particular system is authorizedcomprises determining whether the particular subsystem is a NetworkAddress Translator (NAT).
 4. The method of claim 1, wherein determiningwhether the particular system is authorized comprises determiningwhether the particular subsystem is an Authentication, Authorization,Accounting (AAA) server.
 5. The method of claim 1, further comprising:if the particular subsystem is not authorized, then preventing the ARPtable from being updated based on the instruction.
 6. The method ofclaim 1, further comprising: if the particular subsystem is notauthorized, then performing the steps of: determining whether aparticular network interface through which the instruction was receivedis contained in a set of one or more specified network interfaces; ifthe particular network interface is contained in the set, thenpreventing the ARP table from being updated based on the instruction;and if the particular network interface is not contained in the set,then updating the ARP table based on the instruction.
 7. The method ofclaim 1, further comprising: if the particular subsystem is notauthorized, then performing the steps of: determining whether aparticular network address indicated by the instruction is contained ina set of one or more specified network addresses; if the particularnetwork address is contained in the set, then preventing the ARP tablefrom being updated based on the instruction; and if the particularnetwork address is not contained in the set, then updating the ARP tablebased on the instruction.
 8. The method of claim 1, further comprising:determining whether a specified amount of time has passed since a timeindicated by a timestamp associated with an entry in the ARP table; andif the specified amount of time has passed, then removing the entry fromthe ARP table.
 9. The method of claim 1, wherein the ARP table isupdated only in response to instructions that are not ARP messages. 10.The method of claim 1, wherein determining whether the particular systemis authorized comprises determining whether the particular subsystem isa Hypertext Transfer Protocol (HTTP) server.
 11. A method of restrictingAddress Resolution Protocol (ARP) table updates to updates originatingfrom authorized subsystems, the method comprising: receiving aninstruction to update an ARP table from a network device over aparticular network interface; determining whether the particular networkinterface through which the instruction was received is contained in aset of one or more specified network interfaces; determining whether aparticular network address indicated by the instruction is contained ina set of one or more specified network addresses; if the particularnetwork interface is not contained in the set of one or more specifiednetwork interfaces, and if the particular network address indicated bythe instruction is not contained in the set of one or more specifiednetwork addresses, then updating the ARP table based on the instruction;and if the particular network interface is contained in the set of oneor more specified network interfaces, or if the particular networkaddress is contained in the set of one or more specified networkaddresses, then performing steps comprising: determining whether aparticular subsystem in a network element from which the instructionoriginated is authorized; wherein determining that the particularsubsystem is authorized comprises determining that the particularsubsystem is a Dynamic Host Configuration Protocol (DHCP) server, anAuthentication, Authorization, Accounting (AAA) server or a NetworkAddress Translator (NAT); only if the particular subsystem isauthorized, then updating the ARP table based on the instruction; and ifthe particular subsystem is not authorized, then preventing the ARPtable from being updated based on the instruction.
 12. The method ofclaim 11, wherein receiving the instruction to update the ARP tablecomprises receiving an ARP message that indicates an association betweena network layer address and a data link layer address.
 13. Acomputer-readable storage medium storing one or more sequences ofinstructions for restricting Address Resolution Protocol (ARP) tableupdates to updates originating from authorized subsystems, whichinstructions, when executed by one or more processors, cause the one ormore processors to carry out the steps of: receiving an instruction toupdate an ARP table from a particular subsystem of a network device;determining whether the particular subsystem within the network devicefrom which the instruction originated is authorized; wherein the step ofdetermining that the particular subsystem is authorized comprisesdetermining that the particular subsystem is a Dynamic HostConfiguration Protocol (DHCP) server, an Authentication, Authorization,Accounting (AAA) server or a Network Address Translator (NAT); and onlyif the particular subsystem is authorized, then updating the ARP tablebased on the instruction.
 14. The computer-readable storage medium ofclaim 13, wherein the instructions which when executed cause determiningwhether the particular system is authorized comprise instructions whichwhen executed cause determining whether the particular subsystem is aDynamic Host Configuration Protocol (DCHP) server.
 15. Thecomputer-readable storage medium of claim 13, wherein the instructionswhich when executed cause determining whether the particular system isauthorized comprise instructions which when executed cause determiningwhether the particular subsystem is a Network Address Translator (NAT).16. The computer-readable storage medium of claim 13, wherein theinstructions which when executed cause determining whether theparticular system is authorized comprise instructions which whenexecuted cause determining whether the particular subsystem is anAuthentication, Authorization, Accounting (AAA) server.
 17. Thecomputer-readable storage medium of claim 13, wherein the one or morestored sequences of instructions, when executed by the processor,further cause the processor to perform: if the particular subsystem isnot authorized, then preventing the ARP table from being updated basedon the instruction.
 18. The computer-readable storage medium of claim13, wherein the one or more stored sequences of instructions, whenexecuted by the processor, further cause the processor to perform: upondetermining that the particular subsystem is not authorized: determiningwhether a particular network interface through which the instruction wasreceived is contained in a set of one or more specified networkinterfaces; preventing the ARP table from being updated based on theinstruction if the particular network interface is contained in the set;and updating the ARP table based on the instruction if the particularnetwork interface is not contained in the set.
 19. The computer-readablestorage medium of claim 13, wherein the one or more stored sequences ofinstructions, when executed by the processor, further cause theprocessor to perform: upon determining that the particular subsystem isnot authorized: determining whether a particular network addressindicated by the instruction is contained in a set of one or morespecified network addresses; preventing the ARP table from being updatedbased on the instruction if the particular network address is containedin the set; and updating the ARP table based on the instruction if theparticular network address is not contained in the set.
 20. Thecomputer-readable storage medium of claim 13, wherein the one or morestored sequences of instructions, when executed by the processor,further cause the processor to perform: determining whether a specifiedamount of time has passed since a time indicated by a timestampassociated with an entry in the ARP table; and if the specified amountof time has passed, then removing the entry from the ARP table.
 21. Thecomputer-readable storage medium of claim 13, wherein the ARP table isupdated only in response to instructions that are not ARP messages. 22.The computer-readable storage medium of claim 13, wherein theinstructions which when executed cause determining whether theparticular system is authorized comprise instructions which whenexecuted cause determining whether the particular subsystem is aHypertext Transfer Protocol (HTTP) server.
 23. An apparatus forrestricting Address Resolution Protocol (ARP) table updates to updatesoriginating from authorized subsystems, comprising: a network interfacethat is coupled to a data network for receiving one or more packet flowstherefrom; one or more processors; means for receiving an instruction toupdate an ARP table from a particular subsystem of a network device;means for determining whether the particular subsystem within thenetwork device from which the instruction originated is authorized;wherein the means for determining that the particular subsystem isauthorized comprises means for performing said determining bydetermining that the particular subsystem is a Dynamic HostConfiguration Protocol (DHCP) server, an Authentication, Authorization,Accounting (AAA) server or a Network Address Translator (NAT); and meansfor updating the ARP table based on the instruction only if theparticular subsystem is authorized.
 24. The apparatus of claim 23,wherein determining whether the particular system is authorizedcomprises determining whether the particular subsystem is a Dynamic HostConfiguration Protocol (DCHP) server.
 25. The apparatus of claim 23,wherein determining whether the particular system is authorizedcomprises determining whether the particular subsystem is a NetworkAddress Translator (NAT).
 26. The apparatus of claim 23, whereindetermining whether the particular system is authorized comprisesdetermining whether the particular subsystem is an Authentication,Authorization, Accounting (AAA) server.
 27. The apparatus of claim 23,further comprising: if the particular subsystem is not authorized, thenpreventing the ARP table from being updated based on the instruction.28. The apparatus of claim 23, further comprising: means for determiningwhether the particular subsystem is not authorized; means fordetermining whether a particular network interface through which theinstruction was received is contained in a set of one or more specifiednetwork interfaces; means for preventing the ARP table from beingupdated based on the instruction when the particular network interfaceis contained in the set; and means for updating the ARP table based onthe instruction when the particular network interface is not containedin the set.
 29. The apparatus of claim 23, further comprising: means fordetermining whether the particular subsystem is not authorized; meansfor determining whether a particular network address indicated by theinstruction is contained in a set of one or more specified networkaddresses; means for preventing the ARP table from being updated basedon the instruction when the particular network address is contained inthe set; and means for updating the ARP table based on the instructionwhen the particular network address is not contained in the set.
 30. Anapparatus for restricting Address Resolution Protocol (ARP) tableupdates to updates originating from authorized subsystems, comprising: anetwork interface that is coupled to a data network for receiving one ormore packet flows therefrom; a processor; and one or more storedsequences of instructions which, when executed by the processor, causethe processor to carry out the steps of: receiving an instruction toupdate an ARP table from a particular subsystem of a network device;determining whether the particular subsystem within the network devicefrom which the instruction originated is authorized; wherein determiningthat the particular subsystem is authorized comprises determining thatthe particular subsystem is a Dynamic Host Configuration Protocol (DHCP)server, an Authentication, Authorization, Accounting (AAA) server or aNetwork Address Translator (NAT); and only if the particular subsystemis authorized, then updating the ARP table based on the instruction. 31.The apparatus of claim 30, wherein the instructions which, whenexecuted, cause the processor to carry out the step of determiningwhether the particular system is authorized comprise instructions which,when executed, cause the processor to carry out the step of determiningwhether the particular subsystem is a Dynamic Host ConfigurationProtocol (DCHP) server.
 32. The apparatus of claim 30, wherein theinstructions which, when executed, cause the processor to carry out thestep of determining whether the particular system is authorized compriseinstructions which, when executed, cause the processor to carry out thestep of determining whether the particular subsystem is a NetworkAddress Translator (NAT).
 33. The apparatus of claim 30, wherein theinstructions which, when executed, cause the processor to carry out thestep of determining whether the particular system is authorized compriseinstructions which, when executed, cause the processor to carry out thestep of determining whether the particular subsystem is anAuthentication, Authorization, Accounting (AAA) server.
 34. Theapparatus of claim 30, further comprising instructions which, whenexecuted, cause the processor to carry out the step of preventing theARP table from being updated based on the instruction if the particularsubsystem is not authorized.
 35. The apparatus of claim 30, furthercomprising instructions which, when executed, cause the processor tocarry out the steps of: determining whether the particular subsystem isnot authorized; determining whether a particular network interfacethrough which the instruction was received is contained in a set of oneor more specified network interfaces; preventing the ARP table frombeing updated based on the instruction when the particular networkinterface is contained in the set; and updating the ARP table based onthe instruction when the particular network interface is not containedin the set.
 36. The apparatus of claim 30, further comprisinginstructions which, when executed, cause the processor to carry out thesteps of: determining whether the particular subsystem is notauthorized; determining whether a particular network address indicatedby the instruction is contained in a set of one or more specifiednetwork addresses; preventing the ARP table from being updated based onthe instruction when the particular network address is contained in theset; and updating the ARP table based on the instruction when theparticular network address is not contained in the set.